Allow globs within hostnames?

[mbp-stripe]

I would like to allowlist the pattern

access-analyzer.*.amazonaws.com

The second component of AWS endpoints is the region. It would be nice not to need to spell out every single region like access-analyzer.us-west-2.amazonaws.com, ... and in particular it would be nice not to need to update this or deal with breakage when new regions are added.

Today Smokescreen seems to intentionally deny globs other than as a single component at the start of a domain: https://github.com/stripe/smokescreen/blob/bffe947fa6f682884d48592ff7e9ed13bb7941a4/pkg/smokescreen/acl/v1/acl.go#L246-L266 (At least it gives a clear error!)

I don't know why this was added, perhaps there was a concern that globs within a domain might be misused or confusing? But I think there are also legitimate cases, and it doesn't seem like it would be too hard to support technically.

I can also imagine people wanting to allow *.*.amazonaws.com.

[shubhhq]

I like this feature request. Do you have cases in mind for there was a concern that globs within a domain might be misused or confusing?

[sourcefrog]

Thanks!

Do you have cases in mind for there was a concern that globs within a domain might be misused or confusing?

I don't know, I was just trying to infer why people might have chosen to specifically block this in the past.